saslSupportedMechs on arbiters must not error

XMLWordPrintableJSON

    • Type: Bug
    • Resolution: Fixed
    • Priority: Major - P3
    • 3.7.7
    • Affects Version/s: 3.7.3
    • Component/s: Security
    • None
    • Fully Compatible
    • ALL
    • Platforms 2018-04-23, Platforms 2018-05-07
    • None
    • None
    • None
    • None
    • None
    • None
    • None

      There's a catch-22 in SASL mechanism negotiation with arbiters. In order for drivers not to have to do a second mechanism negotiation round trip, they need to add saslSupportedMechs to the initial ismaster command. This appears to fail on arbiters with a UserNotFound error. Instead, arbiters should reply with a normal ismaster response without a saslSupportedMechs field so that drivers can discover that the server is an arbiter after which they won't attempt authentication anyway.

      Repro:

      1. set up a 3.7.3 server with authentication and a user
      2. connect with an old client (to avoid SERVER-33947)
      3. manually run ismaster with saslSupportedMechs
      $ ~/mongodb/3.4.14/bin/mongo metis.local:57058
MongoDB shell version v3.4.14
connecting to: mongodb://metis.local:57058/test
MongoDB server version: 3.7.3
WARNING: shell and server versions do not match
MongoDB Enterprise foo:ARBITER> use admin
switched to db admin
MongoDB Enterprise foo:ARBITER> db.runCommand({ismaster:1, saslSupportedMechs:"admin.root"})

{
        "operationTime" : Timestamp(1523475642, 1),
        "ok" : 0,
        "errmsg" : "Could not find user root@admin",
        "code" : 11,
        "codeName" : "UserNotFound"
}

      By contrast, connecting to a secondary works:

      $ ~/mongodb/3.4.14/bin/mongo metis.local:57048
MongoDB shell version v3.4.14
connecting to: mongodb://metis.local:57048/test
MongoDB server version: 3.7.3
WARNING: shell and server versions do not match
MongoDB Enterprise foo:SECONDARY> use admin
switched to db admin
MongoDB Enterprise foo:SECONDARY> db.runCommand({ismaster:1, saslSupportedMechs:"admin.root"})
{
        "hosts" : [
                "metis.local:57038",
                "metis.local:57048"
        ],
        "arbiters" : [
                "metis.local:57058"
        ],
        "setName" : "foo",
        "setVersion" : 1,
        "ismaster" : false,
        "secondary" : true,
        "primary" : "metis.local:57038",
        "me" : "metis.local:57048",
        "lastWrite" : {
                "opTime" : {
                        "ts" : Timestamp(1523475952, 1),
                        "t" : NumberLong(3)
                },
                "lastWriteDate" : ISODate("2018-04-11T19:45:52Z"),
                "majorityOpTime" : {
                        "ts" : Timestamp(1523475952, 1),
                        "t" : NumberLong(3)
                },
                "majorityWriteDate" : ISODate("2018-04-11T19:45:52Z")
        },
        "maxBsonObjectSize" : 16777216,
        "maxMessageSizeBytes" : 48000000,
        "maxWriteBatchSize" : 100000,
        "localTime" : ISODate("2018-04-11T19:45:58.059Z"),
        "logicalSessionTimeoutMinutes" : 30,
        "minWireVersion" : 0,
        "maxWireVersion" : 7,
        "readOnly" : false,
        "saslSupportedMechs" : [
                "SCRAM-SHA-256",
                "SCRAM-SHA-1"
        ],
        "ok" : 1,
        "operationTime" : Timestamp(1523475952, 1)
}

            Assignee:
            Spencer Jackson
            Reporter:
            David Golden
            Votes:
            0 Vote for this issue
            Watchers:
            9 Start watching this issue

              Created:
              Updated:
              Resolved: